remove conntrackd package

As per bug discussion, conntrackd is actually not needed for netfilter
framework, and given that users do not appear to find the logs useful
(the only reason we're using conntrackd), let's just remove it.

This commit also defines a variable container_remove_packages so that
the list of packages to remove from containers can be added to in the
future.

NOTE: removing conntrackd does not unload the kernel conntrack modules
or disable the netfilter conntrack framework. It simply means we are not
gathering ostensibly useless logging. The kernel conntrack flows can
still be interrogated with the 'conntrack' userspace cli tool, for real
time debugging.

Change-Id: Ic74e65a6fe27060dc94bfc2f250cd53fb153c7c8
Closes-Bug: 1457196

playbooks/roles/os_neutron/defaults/main.yml

@@ -216,7 +216,6 @@ neutron_rpc_backend: rabbit
 #  "get_subnet": "rule:admin_or_owner or rule:shared"
 
 neutron_apt_packages:
-  - conntrackd
   - conntrack
   - dnsmasq-base
   - dnsmasq-utils
@@ -225,6 +224,9 @@ neutron_apt_packages:
   - keepalived
   - libpq-dev
 
+neutron_apt_remove_packages:
+  - conntrackd
+
 neutron_pip_packages:
   - configobj
   - cliff

playbooks/roles/os_neutron/tasks/neutron_install.yml

@@ -36,6 +36,18 @@
   tags:
     - neutron-apt-packages
 
+- name: remove specific apt packages
+  apt:
+    pkg: "{{ item }}"
+    state: absent
+  register: remove_packages
+  until: remove_packages|success
+  retries: 5
+  delay: 2
+  with_items: neutron_apt_remove_packages
+  tags:
+    - neutron-apt-packages
+
 - name: Install pip packages
   pip:
     name: "{{ item }}"